Archive for June 2017

While all the AV/TI/INFOSEC firms have been masturbating to the latest outbreak of systems degrading malware, I have been sitting back after insuring that my environment has not been hit nor anyone connected to it. Since the reversal’s and the inevitable attribution fuckery cycle has spun up I have been pondering things outside the usual whodunnit. Lesley Carhart had a good post on why one should worry about such attacks and this kind of malware that people should read, I want to go a different route. What I want to talk about is motivation and with that motivation, yes, who is more likely to have carried out the attack. In this case we have yet another piece of malware that was either well coded or poorly coded depending on who you talk to. It was targeted or not targeted depending on who wants to sell you a service too. Well, I have nothing to sell you all, I just want to point out some interesting things regarding the whole mess.

The one simple fact that the malware used a Ukrainian tax software (MEDoc) as the means of initial attack is telling. The time-line on this also pretty much shows (and I experienced this from messages to me the day of the incident) that Ukraine was patient zero. By looking at the image below from the linked page you can see that a great swath of Ukrainian infrastructure was hit on the 27th. Coinciding with this malware attack later in the day several military and government individuals were assassinated in Ukraine as well. Are you starting to see a pattern here?

Recently Wired had a big article on how some in the security community had been feeling that Ukraine was the testbed for Russian active measures in the cyber warfare battle space and this is something I agree with. They have been using active measures of this nature for some time. In fact I actually located some malware in dumps of the Russian media company created by Putin to be a propaganda and intelligence wing for Russia in the region last year. The attacks on the Ukrainian elections as well as the electrical grid now twice by “unknown actors” (Russia) (insert stupid code name from TI firm HERE) have shown just how willing the Russians are to use such technologies in the region. Understanding what they are doing though needs more than the myopia of reverse engineers and sales people in the security space to impart that to you so I will put it plainly here for you;

Russia is carrying out an all out war against Ukraine and they are now using the means to an end of malware to deny, degrade, and deter the Ukrainian people and their government from being their own.

Russia’s use of these malware attacks have a secondary but important function psychologically to bolster the idea that the Ukrainian government cannot protect itself nor its people

Russia’s use of these kinds of measures is just another part of the playbook to add to the battle-space

The Russians get the advantage of using these techniques on Ukraine and no one is stopping them. They get the advantage of a smaller state infrastructure to attack which means more amplification of the effects on the populace as well. In larger states it is harder to carry these out and obviously would take much more effort. In fact, in the case of the Russian meddling in the US elections last year, one can see how much effort it took on the Russians part to carry out the attacks but as well, how a larger and diffused infrastructure gives varying levels of returns. Alas, for poor Ukraine you can see just how effective at degrading and perhaps disenfranchising the general populace can be with such attacks on their infrastructure. I heard one comment from a Ukrainian that just bespoke their resignation to the interruptions as they happen so much. All of this though, demoralizes the population and in the case of Ukraine, since the Maidan event, they have fought hard to stay free and that is why Russia is ramping up their attacks.

So yeah, my money is on Russia and I will stick with Occam’s razor on that one. Now, on other thoughts about this malware and Wannacry I just have to once again muse about how we have now reached a place where malware is reaching parity with bio weapons. I say this in the sense that malware like Nyetya and Wannacry both had unintended consequences once released either willfully for by accident. They broke out of their cages, their battle-spaces, and began to infect the populace globally. Instead of having some poor shmuck getting on a plane and infecting the world, we now have malware that is either scanning the net for clients to attack or being sent out and then forwarded by accident (or on purpose) by actors. Could some of the infection vectors and trajectories be chaff to obscure the real targets? Sure, but I think in these last two cases the attackers perhaps did not take into account the interconnectedness of the world today.

….Or that’s exactly what the counted on…

Anyway, those are my thoughts on the subject. We are at a crossroads where malware like this can cause headaches but in the end, the world did not end did it?

Did I miss it?

Damn.

EDIT: I also failed to mention that this attack took place one day before their Consitution Day, ya know that thing where they proclaim they are not a part of Russia. Mmmmmyeah…

Rate this:

Welp, I found the darknet site for the ShadowBrokers new monthly dumps service this morning. The site’s proper name according to the masthead is Scylla Hacking Store, which if you Google up Scylla Hacking you locate a tool and a preso by two Columbians from DC20 called “Scylla, because there is no patch for human stupidity” which make me wonder if this site name is a double entender on perhaps the tool being used to hack the NSA as well as the cut line of “There is no patch for human stupidity”, which implies that it was something really stupid that led to this compromise of the NSA. Of course that is all supposition on my part but the more I look at this site and the attitudes of the Shadow Brokers I tend to think I am onto something there, I mean, they aren’t that subtle right?

The site requires you to create a login and uses the proper security protocols as passwords go, BUT, as you are on the darknet the one thing that makes you think is that they require Java to do business with the site and that is a no no in the darkwebs. So I temporarily allowed the site and created an account so I could have a look around. The site has more than a few sections selling their wares and those include now APT exploits not only from the US but it seems from other countries and actors like Cozy Bear, using the Crowdstrike terminology for Russian actors. They have the old favorites too from FuzzBunch payloads and sources as well as DoS tools and other goodies for sale, so it seems we are now seeing all the things they have that may or may not have come from their hacking of the NSA?

When you create an account the site generates a bitcoin wallet for you and then you have to transfer funds to it for transactions, it is literally their wallet and you are gaining points or credits to buy the exploits you want. I checked the wallet and there is in fact a zero balance so perhaps they are generating them on the fly or this wallet is in use by the brokers as the sole one? In any case, they have come through as promised before that they would create the dumps service and now they are using the bitcoin once again as their means to an end.

Overall it seems that whoever is behind this not only has NSA’s trove but also a bunch of other exploits, tools, 0day, etc. They are in the market for making money this time and they are carrying it all out in the darknet.

So, is this Russia or is this DPRK?

Who needs money?

I know a guy…

Maybe….

Honestly though, for the longest time this group has to me, seemed to be GRU/FSB fuckery but now with this whole money making scheme I am not so sure anymore. Of course it could be RU just fucking with everyone and making it look like maybe it is ol’ Un. I mean with the fake written Asian dialect it is easy to see that someone is trying to make it look like it’s Lil Kim and his Funky Bunch …Meh, it’s all just games anyway. We live in interesting times though. I guess I should just now look forward to another group of hackers to try to crowd source funds to send them the bitcoins for these sploits huh?

Derp.

K.

Rate this:

Why is it that the military just can’t grasp that on the net you can’t just use a sledge hammer to make things go away? It seems they finally have gotten a taste of reality in the war against Da’esh with their cyber weaponry hitting their targets only for the Da’eshbags to re-constitute from backups and new domains bought cheaply. I for one have been saying that it is pointless to just DoS them offline or fuck with them in hopes they would go away for many a year, guess now they might get it after their failures.

Ya see kids, it is not about big cyber booms and these guys go away and unless you are using some super software that pops GPS coords into a Raptor’s telemetry and launch a hellfire, you are pretty much gonna be shit outta luck in making a big difference here. Now the prosecution of the war itself may be benefited by such tools (if they exist) but when you see things like the text from the NYT’s article you see that even the administration just fundamentally did not get it. The NSA is a SPY agency and that is their charter, so asking them to dismantle portable networks that are easily re-constituted with new off the shelf hardware and software bespeaks a fundamental lack of understanding about the technology.

So here’s my advice to all you cyber warriors; Use the technologies that SPIES use to gather intelligence and then pass that intel to the HUMINT folks. Hell, for that matter have a two way connection here and use the tech to watch them, interact with them, and then use the information to make kinetic retaliation possible. You know what made AQAP’s propaganda machine slow down? It was when we blew their propaganda team off the face of the earth. In essence kill them. End them. Use the technology to get at them and end them. Stop it with all this whiz bang idiocy thinking you can take them offline and have them not come back in a day or so with a backed up copy of their shitty jihadi boards.

Just one man’s opinion, but you don’t need a sledge hammer to put a thumb tack in the wall.

There are no quick fixes here.

Just sayin.

K.

Rate this:

So Bloomberg has a story out today concerning allegations that the hack on the election was larger than first admitted to by authorities and the leak of a document by Reality Winner. This of course started the Twitterati to start making noises and got me to thinking about the whole thing. People have been asking about whether or not the hack was successful and to what end would the hacks be if they were successful or not. I myself have held the idea that the success or failure of the hacks isn’t as important as the notion that the systems had been tainted by hacking or manipulation. As you all may remember there were news stories of how the hackers attacked the systems before the elections before Reality dropped her document on the Intercept and then promptly went to jail for her stellarly bad OPSEC. Those stories seem to have been largely forgotten by the general populace but not so much with the IC given the snips of the document given to the Intercept. The snips show how the adversaries used common phishing exploits to “spearphish” the users at particular companies in a credential harvesting operation. Once I really took a close look at these though I began to question some things and thought maybe you all should too.

Why doesn’t the NSA know whether or not the attacks were successful?

So yeah, why doesn’t the NSA know whether or not things worked for the adversaries attacking these systems? Were there no forensics? Were the NSA not allowed to see anything? One begins to wonder why all this is in the report marked TS and such. Of course something in the markings also says “To US” so would this imply that the data came from FIVEEYE to the us? Once you begin to ponder all these things you start down the dark path of the game of shadows and we don’t need that. All of this said though, once again, the document here is showing only that they know attacks happened but they have no evidence of the attacks working and to what extent.

Why is that?

Where are the C2’s and other IOC’s?

Given that we don’t have the information on whether or not these attacks worked, then I guess it is a foregone conclusion to ask for, ya know, evidence right? Well I am gonna ask anyway, where is the evidence of the attacks other than the email address given in the report? No C2’s no infrastructures outlined. Are they in another compartment somewhere? In fact Reality had made mention of another document in her jailhouse tapes so are these bits in there? Without these one cannot conclude much of anything as to the adversary we are dealing with. After all, you all in the business know that these kinds of phishing attacks are quite common. How many of you blue team folks who read me have seen these same kinds of Google Drive/WP/PHP sites that harvest creds then pass you to the site you wanted?

This is not advanced

This is not uncommon

This is not a lock on any adversary in particular

Yet here they are saying it was the GRU… Why? What other evidence do they have? HUMINT? SIGINT? None of this is mentioned in what we have been given by the Intercept.

Why is this all marked TS if there is no real sources and methods here to burn?

Back to the whole TS/FVEY/ORCON alphabet soup, why is this being held so closely? Now, I have my own particular bent here that I have written about in the past which goes something like this;

We don’t want to admit the hacks happened because if we did it would cast doubt on the election

If we admit they happened people will doubt the system and it will erode the democracy

If we admit they happened AND they actually got in and they manipulated the system… Well… HOLY SHIT there’s goes the election system and the democracy

If we admit it happened and it worked then how much trust would there be in the government anymore?

In fact in articles circulating today, and I think it was in the Bloomberg piece, the case was made by President Obama that they would not want to admit to a hack for these very reasons…

So, there is that huh? If the scope of the hack is proven then it will in fact have the effects above and it would give Putin the satisfaction that his goals of active measures are still bearing him smelly fruit. I can then see them wanting to keep all of this stuff super secret couldn’t you? I guess Reality, though an idiot, perhaps had the same feeling and decided to do this in some warped view on trying to get rid of the current president. Another reason may be, and this is a tenuous one, that all of this is now part of the investigation into Russian meddling that the Congress is carrying out. I doubt that is the reason though. I really think it is just the IC being the IC and that the government has a reason to keep this all secret because it would erode things further where the government and our system of elections are concerned.

GRU or Patriot Hackers? (A Team versus B Team)

Alrighty, now we get on to the whole whodunnit thing. The documents sure do say that it is the GRU but like I said they don’t give you enough proof to do anything in a court of law for sure. While I was pondering this I had a flash on what Pooty said recently about “patriot hackers” and how the NSA document here alludes to klunky attacks. Like I said above, these phishing exploits are not uncommon. I see these every god damned day so it is really a measure of how well they were put together and whether or not escalation and pivoting happened to show another kind of actor here. Oh, and yeah, that information is conveniently not in the report here and once again, the NSA does not know if the attacks succeeded.

Think about that.

Then they go on to say it was Russia.

Ok, so maybe, just maybe it was Russia but it was the patriotic hacker B team eh? What if Pooty was telling a truth there and we all just scoffed and moved on? Given what the documents say I can see that maybe some talented amateurs or a B team decided to carry out a moonlighting operation to amplify things. Hey crazier things have happened right? What I am saying is open your minds to the idea that this was not the GRU but other actors like cyber patriots who may have gotten in but then failed to really do damage to the systems.

Maybe.

Without ya know like evidence though… Meep Meep.

Conclusion:

Welp, the cat is out of the bag NSA. It’s time to fess up. I think you and the government need to start producing evidence, forensic evidence, or GTFO. If the election data was hacked and manipulated then let us all know and then FUCKING FIX THE SYSTEMS AND MAKE THEM CRITICAL FUCKING INFRASTRUCTURE!